Protecting use of DB2 command prefixes

book

Article ID: 77349

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction



OPCMD Resources such as '-DC11' can be used to protect use of DB2 command prefixes, for example to authorise
the corresponding DB2 STC ACID. It's stated in the TSS Command Functions Guide, Chapter 4, in the section on
the OPCMD Resource Class, that '..the OPERCMDS Resource Class may be used instead.' Can OPERCMDS also be
used to protect DB2 command prefixes and if so, what syntax should be used?

Environment

Release:
Component: TSSMVS

Resolution

OPCMD or OPERCMDS will not provide this security. The only DB2 command where these calls occur is for the 
'-DC11 START DB2' commands. In that case you would see the following calls for each Class: 
========================================================
ACID    CLASS    ENTITY NAME 

Issuing user OPCMD    START 
Issuing user OPERCMDS    MVS.START.STC.DB1BMSTR 

DB2 STC    OPCMD    START 
DB2 STC OPERCMDS    MVS.START.STC.BRLMPROC 

DB2 STC    OPCMD    START 
DB2 STC OPERCMDS    MVS.START.STC.DB1BDBM1 
========================================================

Neither OPCMD nor OPERCMDS is checked for other DB2 commands such as DISPLAY or STOP. In those cases
the only external security command checking is performed by either TSS/DB2 (if used) or the DB2 external
security authorization exit ([email protected]). Without these security features/products no external security checks
will occur for DB2 commands.